Simple public AKS cluster with automatic authorized IP address configuration for demos.
- This cluster enables the public preview for workload identity, which involves enabling extensions and OIDC issuer endpoints.
- This cluster installs the Azure Key Vault Provider for Secrets Store CSI Driver with secret rotation disabled.
- IMPORTANT In order to use this with any Azure subscription, you need to enable workload identity preview. Follow the steps here to do that. The TL;DR is to run the following commands:
az feature register --namespace "Microsoft.ContainerService" --name "EnableWorkloadIdentityPreview"
# Run the following command until you see that the feature is "Registered" (will take a few minutes)
az feature show --namespace "Microsoft.ContainerService" --name "EnableWorkloadIdentityPreview"
# Once the feature is registered, run this command to refresh the provider registration
az provider register --namespace Microsoft.ContainerServiceRun the following command with docker installed and running:
docker run --rm -v $(pwd):/src -w /src mcr.microsoft.com/azterraform:latest make pre-commitRun the following command with docker installed and running:
docker run --rm -v $(pwd):/src -w /src -e SKIP_CHECKOV=true mcr.microsoft.com/azterraform:latest make pr-checkRun the following command:
docker run --rm -v $(pwd):/src -w /src mcr.microsoft.com/azterraform:latest make unit-testFirst, get a service principal in your Azure subscription to run Terraform; then, set the environment variables used in the command below with that service principal and run the following command:
docker run --rm -v $(pwd):/src -w /src -e ARM_SUBSCRIPTION_ID -e ARM_TENANT_ID -e ARM_CLIENT_ID -e ARM_CLIENT_SECRET mcr.microsoft.com/azterraform:latest make e2e-test- Using the service principal values from local tests (or from a different SP if you prefer), add secrets to your GitHub actions under the following names:
- ARM_SUBSCRIPTION_ID
- ARM_TENANT_ID
- ARM_CLIENT_ID
- ARM_CLIENT_SECRET
- TODO (this breaks the pr check right now because using remote state doesn't download providers into the .terraform folder): If you want to use remote terraform state (outside the GitHub Actions runner) which is safer, create a resource group, storage account and storage container using the following commands:
# Replace names below with your own!
export RESOURCE_GROUP_NAME="andrescotfrg"
export STORAGE_ACCOUNT_NAME="andrescotfacc"
export STORAGE_CONTAINER_NAME="andrescotfcontainer"
az group create -n $RESOURCE_GROUP_NAME -l eastus
az storage account create -n $STORAGE_ACCOUNT_NAME -g $RESOURCE_GROUP_NAME -l eastus --sku Standard_LRS
az storage container create -n $STORAGE_CONTAINER_NAME --account-name $STORAGE_ACCOUNT_NAME- TODO (see above): Uncomment and update the Terraform provider in the examples/basice2e/providers.tf file and fill in your values in the backend.
| Name | Version |
|---|---|
| terraform | ~> 1.3 |
| azurerm | ~> 3.24 |
| http | ~> 3.2 |
| Name | Version |
|---|---|
| azurerm | ~> 3.24 |
| http | ~> 3.2 |
No modules.
| Name | Type |
|---|---|
| azurerm_kubernetes_cluster.main | resource |
| azurerm_network_security_group.main | resource |
| azurerm_role_assignment.aks_network_contributor | resource |
| azurerm_subnet.main | resource |
| azurerm_subnet_network_security_group_association.main | resource |
| azurerm_user_assigned_identity.aks | resource |
| azurerm_virtual_network.main | resource |
| azurerm_resource_group.main | data source |
| http_http.myip | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| authorized_ip_cidr_range | CIDR range from which the cluster nodes and control plane will be reachable | string |
"" |
no |
| cluster_dns_prefix | DNS prefix for AKS cluster | string |
"akspubliccluster" |
no |
| cluster_dns_service_ip_address | IP address for the cluster's DNS service | string |
"172.16.16.254" |
no |
| cluster_identity | Name of the MSI (Managed Service Identity) for the AKS cluster | string |
"identity-public-aks-cluster" |
no |
| cluster_name | Name for the public AKS cluster | string |
"aks-public-cluster" |
no |
| cluster_service_ip_range | CIDR range for the cluster's kube-system services | string |
"172.16.16.0/24" |
no |
| cluster_sku_tier | SKU tier selection between Free and Standard | string |
"Free" |
no |
| default_node_pool_vm_size | Size of nodes in the k8s cluster's default node pool | string |
"Standard_D2a_v4" |
no |
| resource_group_name | Name of the existing resource group to create the cluster in | string |
n/a | yes |
| subnet_cidr | CIDR range for the cluster subnet | string |
"172.16.0.0/20" |
no |
| subnet_name | Name of the subnet where all resources will be | string |
"subnet-public-aks" |
no |
| tags | Any tags that should be present on the created resources | map(string) |
{} |
no |
| vnet_cidr | CIDR range for the virtual network | string |
"172.16.0.0/16" |
no |
| vnet_name | Name of the virtual network where all resources will be | string |
"vnet-public-aks" |
no |
| Name | Description |
|---|---|
| api_server_authorized_ip_ranges | CIDR range of IP addresses that can access the cluster's API server's public endpoint |
| credentials_command | Command to get the cluster's credentials with az cli |
| id | ID of the created kubernetes cluster |
| invoke_command | Sample command to execute k8s commands on the cluster using az cli |
| name | Name of the kubernetes cluster created by this module |
| oidc_issuer_url | OIDC Issuer URL for the public cluster |
| resource_group_name | Name of the resource group where the cluster was created |